27

I successfully authenticate with 2 factor but when using aws s3 ls I keep getting

An error occurred (InvalidToken) when calling the ListBuckets operation: The provided token is malformed or otherwise invalid.

And I do have admin rights.

Elijah Lynn
  • 12,272
  • 10
  • 61
  • 91

7 Answers7

28

Issue was that I wasn't passing the --region in. e.g. aws s3 --region us-gov-west-1 ls. I suppose this could be set with an ENV variable too. That error message is a candidate for improvement.

Elijah Lynn
  • 12,272
  • 10
  • 61
  • 91
  • Defining a default region using `export AWS_DEFAULT_REGION="{{region}}"`will save you debug time if working with non-default [AWS partitions](https://docs.aws.amazon.com/sdkforruby/api/Aws/Partitions.html) such as `aws-cn`. – patlachance Dec 29 '19 at 08:51
  • 2
    I think that the `aws` tool just needs a better error message. If I can reproduce this again soon I'll open an upstream issue here https://github.com/aws/aws-cli/issues. If anyone is currently getting this error on the latest version of aws cli and it is because the region is missing, please open a new issue here https://github.com/aws/aws-cli/issues/new/choose. – Elijah Lynn Oct 30 '20 at 23:29
  • 1
    Nice, just found an issue for this opened on Sept 22, 2020, it was closed but I requested it to be re-opened. It is allegedly a server side error coming from the S3 API. https://github.com/aws/aws-cli/issues/5564 – Elijah Lynn Oct 30 '20 at 23:32
  • 2
    Working with gov cloud here, `us-gov-west-1` vs `us-west-1` fix the problem – William Ardila Feb 25 '22 at 17:14
20

This error also occurs when aws cli reads the aws_session_token and aws_security_token declared in the ~/.aws file, which might be associated to a previously used account. Removing both and leaving just the key and the credentials associated to the account where the bucket is will force aws to establish the connection.

catch22
  • 1,564
  • 1
  • 18
  • 41
  • This is also true if you have the environmental variable AWS_SESSION_TOKEN defined for another user, not only in the ~/.aws files. So, be sure to remove it from current session to not having the problem (e.g. unset AWS_SESSION_TOKEN). – iakko May 04 '22 at 14:05
12

Please delete .aws/credentials file from your users account and reconfigure your aws cli. If you already associated with another account then there are high chances of this type of error.

sachin
  • 222
  • 2
  • 3
  • 4
    It's not necessary to delete `~/.aws/credentials` at all. At most, just open `~/.aws/credentials` with a text editor, delete the `aws_security_token` line from the user account you're using, save the file, and retry. – RAM Jul 11 '21 at 15:55
  • I have deleted the token line form the `~/.aws/credentials` but the error persists. – Lazarus Thurston Dec 30 '22 at 15:15
3

Run aws configure

  1. You may leave access key and access key id blank if you have an IAM role attached

  2. Set value for 'region'

Now you will be able to successfully run 'aws s3 ls'

Else run 'aws s3 ls --region '

Ojasvi Monga
  • 4,437
  • 2
  • 18
  • 35
Parul Singh
  • 363
  • 3
  • 11
2

If you are using AWS Single Sign-on you can pass --profile <profile_name> and it should solve the issue

arnino
  • 441
  • 2
  • 14
  • On windows, in a command prompt.. aws sso login --profile then used sam local invoke 'HelloWorldFunction' --profile and it works (no Invalid Token error... – Carl Jan 13 '23 at 15:20
1

In the .aws credentials file remove session token and it will work

Harshit
  • 11
  • 2
0

~/.aws/credentials sometimes has 2 entries for "default". Remove the one you dont need, sometime it might be just blank

Impermanence
  • 146
  • 1
  • 4